About Bro Cluster Configuration

Cristian_Barbaro · February 29, 2016, 6:19pm

Hello, I have a question about Bro Cluster architecture. By default, the
cluster architecture has a frontend listening to a ahigh-speed link;
spliting traffic to each worker and to finally all workers information
be administered by a manager using a proxy, etc.

What we want to do is to have several workers analysing different
networks segments and that each of those workers communicate with a
manager, who will be responsible for managing all information and of
course, enabling a centralized administration of workers configuration.

Is it possible to do this?

Thanks and regards.

Vlad_Grigorescu3 · February 29, 2016, 7:07pm

Yes, this should be fine. The standard architecture is meant to
provide load-balancing for monitoring points that are too large for a
single system to monitor (> 4-5 Gbps with modern, beefy hardware). As
long as each Bro worker is seeing both the upflow and downflow of each
connection it sees, the cluster doesn't care about which worker sees
which subset of the overall traffic.

--Vlad

Cristian Daniel Barbaro <cbarbaro@cert.unlp.edu.ar> writes:

Cristian_Barbaro · March 1, 2016, 12:06pm

Perfect. I'll try it.

Thanks.

Topic		Replies	Views
cluster question Zeek	8	53	May 6, 2022
Bro cluster synchronization Zeek	1	82	May 6, 2022
Adding more bro workers Zeek	2	70	May 6, 2022
Worker configuration in Bro cluster Zeek	2	67	May 6, 2022
optimize running bro from PCAPs / advantage of cluster mode Zeek	5	126	May 6, 2022

About Bro Cluster Configuration

Related Topics